27 November 2017

Social Engineering Toolkit

As a
pentester, social engineering help us to get confidential information
that, along with HUMINT and OSINT, is a good place to start. However,
most of the time, we are going to need social engineering toolkit as
well to deceive people. For instance, there are useful tools which
allow us to clone a webpage to build our own malicious webpage with a
built-in exploit for getting access to the victim computer. These
tools are able to get passwords as well as inserting our own payload
and they are also able to exploit the major vulnerabilities of Java,
Flash, IE, Mozilla, etc.

The most
famous Social
Engineering Toolkit is SET developed by David Kennedy, which
is an open source framework with many attacks features. For example,
we can create a spear-phishing attack easily with the aim of getting
the victim credentials or we can even send mails massively to a
organization. SET is also able to clone webpages easily to launch DNS
spoofing or phishing attacks. What’s more, it allows to create
malicious files (.exe) quickly or we can import our own malicious
file into a payload. Lately, SET has added new attack features like
wireless attacks which create rogue Wireless Access Points to perform
a Man-in-the-middle (MITM) attack for sniffing traffic packets, as
well as Arduino-based attacks, QRCode Generator attack, Powershell
attack or SMS Spoofing attack.

SEToolkit

When I
gave the speech about my own Domain
Generation Algorithm (DGA) for the ISACA
Challenge to bypass firewall security features like web
filtering, I used SET to show realism into the attack because with a
social engineering toolkit is easy to demonstrate how we can
deceive people to install malicious files into their computers. In
fact, I cloned a webpage and I performed a MITM attack to
redirect the victim to the malicious webpage which hosts Java
exploits to take advantages of Java vulnerabilities and I imported my
own payload about DGA into the Java exploits to create random domains
and bypass web filtering.

These
weeks I’m working with social engineering toolkit to create a lab
with powershell attack vectors to get into Windows 10 operating
systems. It is too easy, as always, to create a malicious file with a
reverse shell for accessing into the victim computer and stealing
whatever we want. However, once we have the malicious file, we have
to deceive the victim because it has to be executed as administrator
privileges to inject shellcode into the operating system. How can we
deceive the victim to execute the malicious file? Again, SET helps us
to clone webpages and deploy malicious files, it helps us to perform
spear-phishing attacks, etc. It just thinking about social
engineering.

Therefore,
as pentesters, everything is useful, we can use HUMINT and OSINT as
well but social engineering toolkit is a powerful tool needed to get
confidential and private information of a company. Sadly, this kind
of toolkit is used by offenders and this is the main reason why
pentesters should used it as well.